| skipped 10 lines |
11 | 11 | | * Encrypts the contents of the tunnel and authenticates the server by |
12 | 12 | | public key. |
13 | 13 | | |
14 | | - | It has these noteworthy limitations: |
15 | | - | * Requires intermediary resolvers to support large responses (1232 bytes, |
16 | | - | which is more than the mandated minimum of 512 bytes). |
17 | | - | |
18 | 14 | | dnstt is an application-layer tunnel that runs in userspace. It doesn't |
19 | 15 | | provide a TUN/TAP interface; it only hooks up a local TCP port with a |
20 | 16 | | remote TCP port (like netcat or `ssh -L`) by way of a DNS resolver. It |
| skipped 2 lines |
23 | 19 | | tunnel terminate at the proxy. |
24 | 20 | | |
25 | 21 | | ``` |
26 | | - | .------. .--------. .------. |
27 | | - | |tunnel|-- DoH / DoT --|resolver|-- UDP DNS --|tunnel| |
28 | | - | |client| '--------' |server| |
29 | | - | '------' '------' |
| 22 | + | .------. | .---------. .------. |
| 23 | + | |tunnel| | | public | |tunnel| |
| 24 | + | |client|<---DoH/DoT--->|recursive|<--UDP DNS-->|server| |
| 25 | + | '------' |c |resolver | '------' |
| 26 | + | | |e '---------' | |
| 27 | + | .------. |n .------. |
| 28 | + | |local | |s |remote| |
| 29 | + | | app | |o | app | |
| 30 | + | '------' |r '------' |
30 | 31 | | ``` |
31 | 32 | | |
32 | 33 | | |
| skipped 50 lines |
83 | 84 | | port 53. You can have it listen on port 53 directly using `-udp :53`, |
84 | 85 | | but that requires the program to run as root. It is better to run the |
85 | 86 | | program as an ordinary user and have it listen on an unprivileged port |
86 | | - | (`:5300` above), and port-forward port 53 to it. On Linux, use this |
87 | | - | command to forward external port 53 to localhost port 5300: |
| 87 | + | (`:5300` above), and port-forward port 53 to it. On Linux, use these |
| 88 | + | commands to forward external port 53 to localhost port 5300: |
88 | 89 | | ``` |
89 | 90 | | # iptables -I INPUT -p udp --dport 5300 -j ACCEPT |
90 | 91 | | # iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300 |
| skipped 58 lines |
149 | 150 | | |
150 | 151 | | You can make the tunnel into a general-purpose proxy by running a proxy |
151 | 152 | | server and connecting the server end of the tunnel to it. For example, |
152 | | - | Ncat has a built-in simple HTTP server: |
| 153 | + | Ncat has a built-in simple HTTP/HTTPS proxy: |
153 | 154 | | ``` |
154 | 155 | | $ ncat -lkv --proxy-type http 127.0.0.1 8000 |
155 | 156 | | $ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000 |
| skipped 53 lines |
209 | 210 | | The Noise layer is sandwiched between two other protocol layers: KCP |
210 | 211 | | (https://github.com/xtaci/kcp-go) which creates a reliable stream on top |
211 | 212 | | of unreliable datagrams, and smux (https://github.com/xtaci/smux) which |
212 | | - | provides stream multiplexing and session features. An observer (such as |
213 | | - | the intermediary resolver) may read the headers of the KCP layer, but not |
214 | | - | of the smux layer nor of the streams that are inside. The model is |
215 | | - | similar to what you would get with TLS or SSH over TCP: an observer can |
216 | | - | see TCP-level ACKs and sequence numbers, but cannot read the stream data |
217 | | - | inside. |
| 213 | + | provides stream multiplexing and session features. An observer who can |
| 214 | + | see DNS messages, such as the intermediary resolver, will be able to see |
| 215 | + | the headers of the KCP layer, but not of the smux layer nor of the |
| 216 | + | streams that are inside. The model is similar to what you would get with |
| 217 | + | TLS or SSH over TCP: an observer can see TCP-level ACKs and sequence |
| 218 | + | numbers, but cannot read the stream data. |
218 | 219 | | |
219 | 220 | | ``` |
220 | 221 | | application data |
| skipped 38 lines |
259 | 260 | | size as possible, but not larger than what is supported by the resolver |
260 | 261 | | you are using. Values above 1452 may cause IP fragmentation which can |
261 | 262 | | reduce performance. You can control the maximum UDP payload size with |
262 | | - | the `-mtu` option. The default is 1232 bytes; this ought to be supported |
263 | | - | by most resolvers that understand EDNS(0) (RFC 6891). For maximum |
264 | | - | compatibility, set the maximum to 512, but know that doing so will |
265 | | - | reduce downstream bandwidth. |
| 263 | + | the `-mtu` option on the server. The default is 1232 bytes; this ought |
| 264 | + | to be supported by most resolvers that understand EDNS(0) (RFC 6891). |
| 265 | + | For maximum compatibility, set the maximum to 512, but know that doing |
| 266 | + | so will reduce downstream bandwidth. |
266 | 267 | | ``` |
267 | | - | $ ./dnstt-client -mtu 512 -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| 268 | + | $ ./dnstt-server -mtu 512 -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
268 | 269 | | ``` |
269 | 270 | | |
270 | 271 | | The client and server emit an "effective MTU" log line when starting up |
| skipped 6 lines |